Attacks against DNS service provider Dyn resumed today after a two and a half hour lull, and could indicate a new application of an old criminal technology, experts say.

Dyn hasn’t shared details on the type of DDoS attacks used nor the size of those attacks that have affected access to sites including Amazon, Etsy, GitHub, Shopify, Twitter and the New York Times.

The company describes the situation as “several attacks aimed against the Dyn Managed DNS infrastructure” that its engineers are working to mitigate. Dyn posted notice of the first wave about 7 a.m. Eastern and lasted until about 9:20 a.m. Eastern. The attacks started up again at 11:52 a.m. Eastern.

Some of Dyn’s advanced services have also been affected, which means there may be delays in monitoring, the company says on its status page.

This type of victim is a new approach by criminals using DDoS for profit, says Chase Cunningham, director of cyber operations for A10 Networks. The difference is that they are going after upstream service providers, meaning that not only the direct target is affected but also the target’s customers that rely on it for DNS services.

DNS services are needed to resolve the common human-language names of sites to machine-readable IP addresses so traffic can be delivered.

Cunningham says he’s seen chatter on underground forums indicating that the attackers tried to extort Bitcoin from Dyn by threatening the attacks, and when the provider didn’t pay up, launched them. He says Dyn seems to be doing a pretty good job of mitigating the effects relatively quickly. He says forums estimated the size of the attacks at 5Gbps.

While Dyn may be relatively capable of defending itself, the attackers will likely try attacking other providers, seeking those not as well prepared and so more susceptible to paying the extortion, he says.

The impact goes beyond the direct target to the end users who are unable to reach popular sites and also to the sites themselves, which rely on traffic to provide ad revenue, says Tim Matthews, vice president of marketing at Imperva for the Imperva Incapsula product line.

The attacker doesn’t need vast resources, given the availability of relatively inexpensive DDoS for hire services. “An individual could have launched an attack this big,” he says. The capabilities of individual attackers were fortified recently with the release of software that helps the marshalling of giant botnets capable of massive DDoS attacks.

There’s no evidence that the Dyn attacks are centered on the same tool known as MIrai, but Cunningham thinks it’s possible, given the size.

The persistence of the Dyn attackers indicates a determined foe who will likely seek out more victims within days or weeks, he says.

To defend themselves, providers need to put in anti-DDoS gear as far upstream as they can in order to deflect this type of attack and so protect their customers, he says.

Corporate organizations looking to preserve availability of their Web sites should sign up with more than one DNS provider and monitor traffic against their sites. If there’s a spike, they should pivot to the other provider before the attack affects availability, experts say.

This story, "DDoS attack against Dyn could indicate a new use of old criminal tech" was originally published by
Network World.